[Opendnssec-user] Using the PIN daemon to control redundant nodes

Billy Glynn billy.glynn at iedr.ie
Wed Aug 8 15:42:17 UTC 2012


Hi Rick,

I'm looking forward to the release of the PIN daemon functionality. 

On 8 Aug 2012, at 15:59, Rick van Rein wrote:

> To me, it makes a lot of sense to control a redundant setup by
> having only one node logged in at a time.  Or does it sound like
> an unintended hack?  How do other users feel about this?


In our case (dot IE ccTLD), we would like to be able to have two nodes access our DB and HA HSMs.

Every time we need to generate and sign a zone, we generate a zone with a serial of, for example, 2012080801 on nodeA and 2012081501 on nodeB. All other data within the unsigned zones is identical apart from the serial.

Each of those unsigned zones is then signed and validated etc.

We use this approach so that we can publish a last-known good zone, with up to one week's grace, should some disaster happen where a bad signed zone was published (for whatever reason). 

Cheers

Billy 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120808/4fda3fd7/attachment.htm>


More information about the Opendnssec-user mailing list